The OCC updated community bank BSA/AML examination procedures in November 2025 to allow examiners to carry forward prior conclusions for up to one cycle when risk profiles are stable

In November 2025, the Office of the Comptroller of the Currency quietly updated its community bank BSA/AML examination procedures in a way that deserves more attention than it has received. The change is procedural on its surface, but the signal it sends is substantive: the OCC is now willing to carry forward prior exam conclusions for up to one examination cycle — without re-examining underlying BSA program elements — when a bank can demonstrate that its risk profile has not materially changed and its program remains well-functioning.

The carry-forward flexibility applies only to institutions that demonstrate qualified independent testing, well-documented risk assessments, and AML integration into change management

Translation for the compliance professionals who matter most here: a strong, documented, independently tested BSA program can meaningfully reduce the burden of your next examination. That is not a minor administrative tweak. It is a structural shift in how the OCC calibrates its examination resources — and it creates a direct, measurable financial incentive for institutions to invest in program quality rather than minimum adequacy.

Change management integration — compliance consulted before business changes, not after — is the criterion most institutions currently fail to satisfy

But the flexibility has conditions. It does not apply broadly. It does not apply automatically. And it does not apply to institutions whose programs were marginal to begin with. The OCC has made clear that carry-forward conclusions are available only to institutions that can affirmatively demonstrate three specific things: qualified independent testing that meets scope and frequency requirements, well-documented risk assessments that accurately reflect the institution's current risk profile, and evidence that the AML function is integrated into change management decisions — meaning compliance is consulted when the business changes, not informed after the fact.

Independent testing must be genuinely independent, cover all five BSA elements, produce a written report, and result in fully remediated findings

That third criterion is the one most institutions will struggle to satisfy, and it is worth dwelling on. The OCC is not just asking whether your risk assessment is current or whether your testing happened on schedule. It is asking whether your compliance program is operationally embedded — whether the people responsible for BSA/AML are meaningfully involved when your institution launches a new product, enters a new market, changes its customer mix, or alters its transaction profile. That is a higher standard than most community banks currently meet, and it reflects the OCC's broader view that a compliance program that reacts to change is structurally weaker than one that anticipates it.

Risk assessments must be current (updated within 12 months or after material change), comprehensive across all three risk dimensions, and analytically supported

What does qualified independent testing look like under the OCC's framework? The examination guidance has always required independent testing, but the carry-forward provision gives the OCC a clear reason to evaluate testing quality more carefully than it might have previously. Independent testing must be conducted by someone with genuine independence from the program being reviewed — not an internal audit function that reports to the same senior manager as the BSA officer, and not a consultant who lacks the industry-specific expertise to evaluate your specific risk profile. The testing scope must cover all five BSA program elements, must produce a written findings report, and must result in findings that are actually remediated. An independent testing report that identifies gaps and sits unremediated is not evidence of a functioning program — it is evidence of a program that knows it has gaps and chose not to fix them.

The carry-forward benefit compounds over time: institutions that earn it once can continue to benefit in subsequent cycles while maintaining program quality

The risk assessment criterion is similarly demanding in practice, even if it sounds routine. The OCC is looking for a risk assessment that accurately reflects where the institution actually is today — not where it was when the assessment was last written. This means the assessment must be current, which the OCC generally interprets as updated within the past 12 months or following any material change to the institution's business. It must cover the full three dimensions of BSA risk: products and services, customer base, and geographic footprint. And it must produce risk ratings that are genuinely calibrated to the institution's actual exposures, not assigned to satisfy a template. A risk assessment that rates every risk category as "moderate" without specific factual support for those ratings will not satisfy an OCC examiner evaluating carry-forward eligibility.

The OCC has effectively published the rubric for reduced examination burden — it is achievable, and the cost of deferring program investment is now explicit

The change management integration criterion is the most forward-looking of the three. It reflects the OCC's recognition that the most common pathway to BSA program failure is not fraud or negligence — it is drift. Institutions that expand into new business lines, bring on new customer segments, or change their delivery channels without corresponding updates to their BSA programs end up with programs that were adequate when they were built but are no longer calibrated to the institution's actual risk. By requiring evidence of change management integration, the OCC is trying to identify institutions whose programs will remain accurate over time, not just at a single point in examination.

For MSBs and fintechs, this reinforces a longstanding principle: the cost of a good AML program is far lower than the cost of a bad examination

For the MSBs and fintech companies that we work with, the OCC's update reinforces something we have been saying directly to clients for years: the cost of a good AML program is far lower than the cost of a bad examination. That statement has always been true in the abstract — remediation after an examination finding is expensive, examinations themselves consume management time and attention, and enforcement actions carry consequences that extend well beyond the penalty itself. But the OCC's carry-forward provision makes the math more concrete. An institution that invests in the three elements the OCC cites — qualified independent testing, well-documented risk assessments, and change management integration — is not just reducing its examination risk. It is potentially reducing the duration and intensity of its next examination. That is a quantifiable return on compliance investment that boards of directors and senior management teams can evaluate.

There is a practical question worth addressing directly: how does an institution know whether it is positioned to benefit from the carry-forward provision? The most honest answer is that the institutions best positioned to benefit are the ones that already know the answer without being asked. If your BSA officer can immediately identify when your independent testing was last completed, describe what it covered, point to the written report, and confirm that the findings have been fully remediated — you are in the right posture. If your risk assessment was last updated more than a year ago, or if it was updated but not because the business actually changed, or if it was updated but the underlying analysis is thin — you are not. If your compliance team is typically informed about new products after they launch rather than consulted before — you are not.

The carry-forward provision is not a one-time benefit. Institutions that earn it in one examination cycle by demonstrating these three elements can continue to benefit in subsequent cycles as long as their risk profile remains stable and their program remains well-functioning. That creates a compounding incentive structure: institutions that invest early in program quality accumulate examination credibility that reduces their burden over time, while institutions that treat compliance as a minimum-adequacy exercise face full examination scrutiny every cycle. Over a multi-year horizon, the difference in examination resources consumed — and the management time and attention that examination preparation requires — is material.

Is your current BSA program documented well enough to earn that flexibility? If the answer is anything other than an immediate yes, that question is worth taking seriously — not as an abstract aspiration, but as a concrete program evaluation. Start with the three criteria the OCC has identified. When was your last independent testing engagement? Who conducted it? Does the written report cover all five BSA program elements? Are the findings fully remediated? Is your risk assessment current, comprehensive, and analytically supported? Can you demonstrate, through documented meeting records or change management policies, that AML compliance is involved in business change decisions before they are implemented?

If any of those questions produces a hesitant answer, the path forward is clear: the OCC has effectively published the rubric. Programs that meet these standards get examination credit. Programs that do not get full examination scrutiny. The standard is achievable, the incentive is real, and the opportunity cost of continuing to defer program investment has never been more explicit.